Explore the intricacies of patching Windows executables with The Backdoor Factory in this DerbyCon 3.0 conference talk by Joshua Pitts. Delve into the world of executable patching, its history, and its relevance to security professionals. Learn about various patching methods, including the MS Method and Metasploit's approach. Gain insights into the Portable Executable Format and the Common Object File Format (COFF). Witness live demonstrations on finding code caves and prototyping shellcode. Discover how The Backdoor Factory (BDF) works and its evolution. Compare different attack scenarios and methods, including MSFVENOM and BDF Cave Jumping. Examine enterprise mitigations and the progress made on x64 stagers. This comprehensive talk covers everything from basic concepts to advanced techniques in Windows executable patching, making it valuable for both beginners and experienced security professionals.
Overview
Syllabus
Intro
Other Potential Titles
Overview
What is Patching
Security Pros and Patching
History of Patching
The MS Method
How Metasploit Patches
MSF Create Thread Method (Keep)
MSFVenom Win64 Patching Support
The Portable Executable Format
The Common Object File Format (COFF) Format
CTP Methods
How are code caves created?
Find Code Caves Demo
Solution: BDF
How BDF works
Original Way BDF Worked
DEMO - Prototyping shellcode
DEMO - Injector Module
Attack Scenarios or Methods
Mitigations - UPX Encoding
Mitigations - Self Validation
MSFVENOM keep vs MSVENOM non-keep vs BDF Cave Jumping
win32 BDF vs win64 BDF
Enterprise Mitigations
Progress on x64 Stager
